[Openpgp-dt] settling on OCB nonce size of 120 bits?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 April 2022 18:45 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp-dt@ietfa.amsl.com
Delivered-To: openpgp-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9AC3A190A for <openpgp-dt@ietfa.amsl.com>; Fri, 1 Apr 2022 11:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=j0QzRIvt; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=avYAwyZ+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZoaWUmcVDHL for <openpgp-dt@ietfa.amsl.com>; Fri, 1 Apr 2022 11:45:50 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37BC53A18F6 for <openpgp-dt@ietf.org>; Fri, 1 Apr 2022 11:45:50 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1648838748; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=jlEwXVxHngGjHcl4li3LASVutFWbZLwJ/97gLJej0Pk=; b=j0QzRIvtloH+Tr7ll+rCc75fzejEZkQtk/ZrQRb0SbLVbrCPuBlaEWbBHvaofdTuZSCHs U1L94VNgiwbr1TZDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1648838748; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=jlEwXVxHngGjHcl4li3LASVutFWbZLwJ/97gLJej0Pk=; b=avYAwyZ+1yK2Ia/eLpMEnSAU4fuftEJjiIXa5XfZenCKRtbmxALdx1goyhY/CmrPhL/ih JXIiWKzH09XEVVI9mjM5lFcQoV6VWpaYqO1eolv6QRTZwYMVM9bXnj8LCLwnpY+HKQEK3PI AEo9ldfSOg5cIjqWyeiPnWYS1X4oaF481rIlDZdM+DQ90BstsMmmkMlsSM8pSuWXLUYhuZE O7kC0W5e6/qyUe5zT/dGtIbGIoRRxeatpOU0BKoku75+v2cLqG9DTR2brblR/NU5qG1q9O7 ubzmEu6NdzMncaGPozGvKaaGkWnF/69NUcLvwwvcKeQjKVHo2Ws+f7/iFkPA==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 0F663F9AD for <openpgp-dt@ietf.org>; Fri, 1 Apr 2022 14:45:48 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B859D2033E; Fri, 1 Apr 2022 14:45:33 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp-dt@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 01 Apr 2022 14:45:31 -0400
Message-ID: <87fsmwmylw.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp-dt/lfk2L1Bo5CRjoVcKAMELxxEry54>
Subject: [Openpgp-dt] settling on OCB nonce size of 120 bits?
X-BeenThere: openpgp-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenPGP working group design team <openpgp-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp-dt>, <mailto:openpgp-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp-dt/>
List-Post: <mailto:openpgp-dt@ietf.org>
List-Help: <mailto:openpgp-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp-dt>, <mailto:openpgp-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2022 18:45:56 -0000
Hi folks-- Over in https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/83 we were discussing questions about whether we're actually ok going with an OCB nonce size of 120 bits. The main concerns raised were whether any implementers would have difficulty with interfaces that were limited to 96 bits. A casual survey of underlying cryto libraries that offer an OCB interface turned up one with that limitation (python's cryptography module), but that has since been fixed: https://github.com/pyca/cryptography/issues/6894 I worked with Ted Krovetz to construct test vectors for OCB with 120-bit nonces using similar code to the code that generated the 96-bit nonce test vectors in the OCB RFC: https://gitlab.com/dkg/ocb-test-vectors So i'm inclined to say that we just go with 120-bit nonces, and close issue 83 as resolved. Does anyone want to try to gather more data, or can we just close the issue? --dkg
- [Openpgp-dt] settling on OCB nonce size of 120 bi… Daniel Kahn Gillmor
- Re: [Openpgp-dt] settling on OCB nonce size of 12… Paul Wouters
- Re: [Openpgp-dt] settling on OCB nonce size of 12… Daniel Kahn Gillmor